Skip to content
Studio
← All kits
Governance/KVKKVersion 1.0July 13, 2026· Microsoft LearnOfficial source

Copilot Studio security & governance (official)

The official control set for governing Copilot Studio at enterprise scale: data policies/DLP, Purview & Sentinel auditing, environment routing, managed environments, CMK and autonomous-agent governance — with the KVKK angle.

This is a summary with a canonical link to the original Microsoft resource; up-to-date content lives at the source. — Microsoft Learn.

Standing up an agent is easy; governing it safely, predictably and auditably is the real work. Microsoft’s official security & governance doc lists concrete, tenant-wide controls you can apply.

Key controls:

  • Data policies / DLP: govern maker & user authentication, knowledge sources, connectors/actions/skills, HTTP requests, channel publication and triggers.
  • Purview audit logs: admins get full visibility into maker activity in Microsoft Purview.
  • Microsoft Sentinel: monitoring and alerting on agent activity.
  • Environment routing & managed environments: a safe build space for makers; per-environment policy.
  • Autonomous-agent governance: constrain trigger-based agent capabilities with data policies (against data exfiltration).
  • CMK (customer-managed keys), Customer Lockbox and restricting data movement outside the US.
  • Admins can turn off publishing of generative-AI agents tenant-wide.

KVKK angle: geographic data residency + Purview auditing + DLP masking are cornerstones of KVKK/EUDB readiness. Honest caveat: verify “adequacy” and your data-processing location for your own scenario. This page is the official basis of the site’s “Governance & KVKK Starter Kit.”